CVE-2014-2490
Oracle Java ResourceBundle Format String Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60 and SE 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Vulnerabilidad no especificada en el componente Java SE en Oracle Java SE 7u60 y SE 8u5 permite a atacantes remotos afectar la confidencialidad, integridad y disponibilidad a través de vectores desconocidos relacionados con Hotspot.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of ResourceBundles. The issue lies in insufficient validation of user-supplied data when applying a ResourceBundle. An attacker can leverage this vulnerability to execute code under the context of the current process.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-03-13 CVE Reserved
- 2014-07-16 CVE Published
- 2024-08-06 CVE Updated
- 2024-10-20 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-134: Use of Externally-Controlled Format String
CAPEC
References (16)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/fulldisclosure/2014/Dec/23 | Mailing List |
|
| http://secunia.com/advisories/60129 | Third Party Advisory | |
| http://secunia.com/advisories/60485 | Third Party Advisory | |
| http://secunia.com/advisories/60812 | Third Party Advisory | |
| http://www.securityfocus.com/archive/1/534161/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/bid/68645 | Vdb Entry | |
| http://www.securitytracker.com/id/1030577 | Vdb Entry | |
| http://www.vmware.com/security/advisories/VMSA-2014-0012.html | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://marc.info/?l=bugtraq&m=140852886808946&w=2 | 2022-05-13 | |
| http://security.gentoo.org/glsa/glsa-201502-12.xml | 2022-05-13 | |
| http://www.debian.org/security/2014/dsa-2980 | 2022-05-13 | |
| http://www.debian.org/security/2014/dsa-2987 | 2022-05-13 | |
| http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html | 2022-05-13 | |
| https://access.redhat.com/errata/RHSA-2014:0902 | 2022-05-13 | |
| https://access.redhat.com/security/cve/CVE-2014-2490 | 2014-07-21 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1119597 | 2014-07-21 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Hp Search vendor "Hp" | Hp-ux Search vendor "Hp" for product "Hp-ux" | b.11.23 Search vendor "Hp" for product "Hp-ux" and version "b.11.23" | - |
Affected
| ||||||
| Hp Search vendor "Hp" | Hp-ux Search vendor "Hp" for product "Hp-ux" | b.11.31 Search vendor "Hp" for product "Hp-ux" and version "b.11.31" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdk Search vendor "Oracle" for product "Jdk" | 1.7.0 Search vendor "Oracle" for product "Jdk" and version "1.7.0" | update60 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdk Search vendor "Oracle" for product "Jdk" | 1.8.0 Search vendor "Oracle" for product "Jdk" and version "1.8.0" | update5 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0" | update60 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 1.8.0 Search vendor "Oracle" for product "Jre" and version "1.8.0" | update5 |
Affected
| ||||||